Top 6 Sources for Identifying Threat Actor TTPs

Posted: 17th August 2016

Key Takeaways

  • Know your enemy. Understanding threat actor TTPs is essential for an effective information security program.
  • Don’t be over reliant on a single source. The best security teams identify threat actor TTPs by combining intelligence from multiple sources.
  • Don’t confuse data with intelligence. Sources that provide unprocessed data will end up costing you in man-hours.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.Sun Tzu, The Art of War

Most organizations spend the majority of their security resources looking inward.

From compliance to penetration testing, they believe effective security is something that’s built up from within. Sadly, though, that isn’t the case.

Now, in all probability Sun Tzu wasn’t thinking of cyber security in the 5th century BC. If you hope to keep your organization safe from external sources, however, you’ll want to heed his advice.

Effective cyber security is a constantly changing set of goalposts, as threat actors find new and innovative ways to breach your network.

By gaining an understanding of both your own weaknesses and your opponents’ strengths, you can drastically enhance your information security program.

Top Threat Actor TTP Sources

To capture intelligence on threat actor tactics, techniques, and procedures (TTPs), you’ll need to use one (or more) of the following sources.

1. Open Source

There's no greater source of information on threat actor TTPs than the web.

Between the open, deep, and dark areas of the web, a massive quantity of relevant data is available to anybody who knows how to find it.

But of course, this isn’t a job to be done manually. Even the largest security team would take countless hours to turn up a tiny fraction of the available intelligence, particularly since the deep and dark areas of the web cannot be indexed by search engines.

Thankfully, a number of platforms are available that can collect and store threat data automatically, making this a much more viable approach than it was in the past.

The Good: Open source intelligence (OSINT) is available in massive quantities at relatively low cost. It's also highly shareable, and not restricted by time or geography — the internet is always available, after all.

Most importantly, OSINT sources can be quickly validated and contextualized against each other, significantly reducing the risk of false positives.

The Bad: The main criticism of OSINT is information overload. Without a platform that categorizes and prioritizes threat data, OSINT can easily become overwhelming.

Example: Like many OSINT platforms, Recorded Future collects data from hundreds of thousands of sources. Vitally, though, the platform automates the analysis process, contextualizing and tracking entities as well as providing alerts for the most important ones.

2. Darknets

Ever heard the saying “You’ll catch more flies with honey than vinegar?” Well, that’s what darknets count on.

A darknet is an area of your network, usually self-contained, that contains no services, no files, and no user accounts. All else being equal, your darknet will simply sit idle and achieve nothing.

But what happens when an attacker targets your organization?

Generally they’ll scan for open ports and vulnerabilities, and that’s where darknets shine. Since you know there’s no legitimate activity on your darknet, any sudden change in the status quo will be easy to spot. Not only can this tip you off to an incoming attack, it can also give you insight into the behavior and favorite tactics of the attacker.

Darknets are often intentionally configured with vulnerabilities, open ports, and attractive sounding names, making them prime targets for attack. Because of this, most darknets can also be described as honeypots.

The Good: Darknets are a low-cost security approach that provides verifiable and actionable data with a minimum of unnecessary “noise.” They present minimal risk to your organization, and can serve as an excellent early warning of incoming attacks.

The Bad: The big downside here is that darknets have to be attacked in order to be useful. This is a highly reactive security tool, and isn’t up to task as a standalone threat intelligence solution.

Example: Endgame Systems deploys a variety of honeypots, including darknets, in various types of networks with the goal of observing attack patterns and identifying new remote access vulnerabilities.

3. Telemetry

Put simply, telemetry is data collected throughout your network and sent to a receiving device for processing. This data includes port scanning, connection attempts, traffic, uploads, downloads, and so on.

From a security perspective, there are two types of telemetry. Internal telemetry is data collected within your network that can be used to find trends and identify foreign or malicious behavior. Vendor aggregated telemetry is data of the same sort collected by security companies and used to observe macro trends in both legitimate and malicious traffic.

Either way, telemetry data can be used to gain insight into threat actor TTPs, often in real time, and can also be used to quickly identify incoming attacks.

The Good: Telemetry data is verifiable and, so long as you have skilled personnel to interpret it, quickly actionable. It’s also freely available, at least within your own organization, and can be used for incident detection purposes. In the case of vendor aggregated telemetry, it can provide large-scale visibility into the latest threat actor TTPs.

The Bad: Again, telemetry data is somewhat passive, as malicious activity can only be analyzed as or after it has happened. The data requires processing by skilled personnel before it can be considered intelligence, which sharply increases the cost of this “free” resource.

Example: Antivirus companies often have access to network telemetry from their huge customer bases, which can be processed to produce threat intelligence and sold on as a service. On a smaller scale, LookingGlass uses your network telemetry in collaboration with open source threat intelligence to identify network breaches.

4. Scanning and Crawling

Unlike darknets and telemetry, scanning and crawling are a highly proactive approach to threat intelligence. They involve actively exploring the open web, scanning and cataloguing a huge range of ports and services, and providing information for analysis.

Although not a particularly popular activity among security vendors, there are a number of legitimate uses for the information gathered this way, including searching for externally identifiable vulnerabilities in your own systems.

The Good: Again, this is low cost data that can be used to tighten your organization’s security controls.

The Bad: It’s important to realize that the results of scanning and crawling exercises are data, rather than intelligence. What we’re talking about is massive quantities of raw, unprocessed data.

To process this data into intelligence, you’ll need a substantial amount of skilled manpower, making the exercise much more expensive than it initially appears.

There's also a significant risk of information overload. The vast majority of data collected from scanning and crawling exercises will be worthless, so identifying the valuable pieces will be difficult and time consuming.

Example: Shodan, the Internet of Things (IoT) search engine, is an example of a service that crawls the open web searching for and indexing internet-enabled devices.

5. Malware Processing

This is pretty much what you’d imagine: collecting and activating malware to record and store the results for analysis.

This can be conducted internally by cyber-savvy organizations, but is usually performed on a much larger scale by security vendors. The resulting intelligence is used to inform everything from security protocols to the latest antivirus products.

Most importantly from our perspective, analysis of the latest malware is a direct glimpse into the mind of the attacker. Historically there have been clearly identifiable trends in malware creation and distribution, so malware processing is extremely valuable as a means of staying one step ahead.

The Good: Malware processing provides verifiable, actionable indicators of compromise (IOCs) that can be used to tighten security controls across the board. Although the approach is technically passive, requiring malware to be written and released before it can take place, it usually enables organizations to prepare for new malware before they themselves have been affected by it.

The Bad: To some extent malware processing lacks context, since it's usually not conducted in the environments at risk of being attacked. Equally, since malware can only be analyzed after initial distribution has taken place, this approach is often more about damage minimization than total prevention.

Example: Team Cymru processes malware on a large scale, and provides a range of free and commercial products enabling users to search and splice captured metadata.

6. Closed Source and Human Relationships

Intelligence gained through closed source and human relationships, also known as HUMINT, is the closest we in the cyber security industry get to a James Bond film.

Usually taking place online, operatives will develop human relationships to gain access to closed forums, communities, and IRC servers belonging to hacking and cyber crime groups.

Unsurprisingly you won’t find much information online about the organizations actively involved in HUMINT gathering operations, as not everything about them can be strictly speaking legal. This is extremely high-end intelligence gathering, and is usually only conducted by dedicated security vendors and state-level governments.

The Good: Done well, HUMINT is highly current (even prescient), actionable, and organization specific. The goal is to know everything about an attack before it happens, and although this isn’t always possible, it’s still hugely beneficial to have even the barest details in advance.

The Bad: Unsurprisingly, HUMINT is very costly and labor intensive. It’s also not guaranteed to yield any results whatsoever, and even the best HUMINT operation needs to be backed up by other forms of intelligence.

Example: Intel 471 provides actor-centric threat intelligence relating to specific attacks.

Selecting Intelligence Sources

As is nearly always the case, your approach to identifying threat actor TTPs will depend heavily on the size of your organization and security budget. For a small organization with minimal budget, open source might be the only option.

And whilst multiple sources will usually provide more actionable results, it goes without saying that one source is far better than none at all.

Beyond this, your approach should be based on a detailed assessment of your organization’s needs. Don’t assume you can predict what each area of your organization would benefit from ... ask them. Chances are you’ll need much more varied intelligence than you’d initially thought.

And once you know what’s required, you can start to make decisions about the vendors, partners, and proprietary solutions that meet your needs.

If you think your organization could benefit from an understanding of threat actor TTPs, our latest white paper is for you. “Understand Your Attacker: A Practical Guide to Identifying TTPs With Threat Intelligence,” written by industry expert Levi Gundert, will help you make vital decisions such as how to identify threat actor TTPs, which intelligence sources to use, and how to use this intelligence to enhance your information security program. Download the white paper now.

In a world of limited resources and (seemingly) unlimited threats, prioritization is vital. By understanding your opposition, you'll have a much greater chance of avoiding breaches.

This information is also available to view as a SlideShare presentation.